No matter how you've hardened your SQL Server systems, a weak network design can still undermine the best of database security controls. It's easy to assume that all's well inside the network perimeter. The external firewall is all-protecting -- at least that's the common belief.
Firewall or not, database security weaknesses at the network layer are introduced for one simple reason: convenience. IT administrators have been in a constant battle between security and convenience, long before security was cool. Be it a less-visible internal system or an Internet-facing e-commerce application, the time and effort required to implement the solution ASAP often beat out any attempt to deploy things securely. It's the path of least resistance. It's "time to market." It's whatever it takes to get it done and then move on to put out the next fire. Sure, you reach a solution more quickly, but it's not good for business. We've all been guilty of such practices.
The convenience element is what leads to putting SQL Server systems on the network where they shouldn't be. Oftentimes, the servers are directly accessible from the Internet. I've recently seen this very thing: a SQL Server system directly accessible from the Internet – all because business partners needed easy access to the data. A better plan, such as a VPN, introduced too much of an, ahem, inconvenience. Suffice it to say the outcome was not good.
The Internet issue is obvious, but don't forget about the internal network. I hear about and see a lot of people "VLANing" everything,
yet, it's often very simple to track down and connect to SQL Server systems from anywhere inside the building. They're just sitting there – along with all the other servers and workstations – waiting to be poked, prodded and attacked by curious or rogue insiders. With all of the fancy security features built into the network switches, routers and firewalls on most networks, they're still not being used at even their most basic levels. Even old-fashioned packet filtering can do wonders to protect a SQL Server system – if it's used.
It doesn't really matter if it's a critical enterprise application or a benign installation of SQL Server 2005 Express, every database counts. One compromised SQL Server system leads to attacks on others. Check all of your databases to see just how accessible they are. Look at them from every angle: in front of the firewall, behind the firewall and beside the firewall. It pays to use good tools too. SQLPing is a great start for finding live SQL Server systems. Once you track them down, move on to more advanced vulnerability scanners such as GFI LANguard Network Security Scanner and QualysGuard and, finally, database-specific scanners such as AppDetectivePro and NGSSQuirrel to find out how they can be exploited.
Once you take a step back and look at the big picture, it'll be obvious just how important your network infrastructure is when it comes to protecting your databases. Find the flaws and plug the holes using network-layer controls whenever you can. You'll ward off internal and external attacks and be one step closer to reasonable and practical SQL Server security.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummiesand Hacking Wireless Networks For Dummies(Wiley). He's also the creator of the Security on Wheels information security audio books and blogproviding security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in January 2008